The use of personal devices for professional purposes, known as bring your own device (BYOD), has become common in hospitals. Clinicians increasingly rely on smartphones, tablets and laptops to access electronic medical records, support decision-making and communicate with colleagues. This flexibility enhances efficiency but exposes sensitive patient data to new risks. Traditional approaches to cybersecurity often emphasise technical solutions while overlooking the role of human behaviour, workflow integration and organisational culture. Recognising this gap, researchers developed and tested a maturity model designed specifically for hospital BYOD security. The model integrates technological, policy and human factors to provide hospitals with a structured pathway to assess and improve their security practices.
Integrating Technology, Policy and People
The model encompasses 21 domains across three dimensions: technology, policy and people. Each domain is assessed across five maturity levels, progressing from minimal or ad hoc practices to advanced, automated and fully integrated measures. In the technology dimension, domains include identity and access management, device security, network protection and clinical communication. These cover the transition from reliance on passwords and unsecure personal apps to advanced solutions such as role-based access control, endpoint protection and dedicated clinical communication platforms. The policy dimension focuses on governance, regulatory compliance, incident response and accountability, guiding hospitals from informal practices to robust frameworks with real-time enforcement and automated monitoring. The people dimension addresses human factors, such as security awareness training, stakeholder involvement, usability and security culture. At higher maturity levels, hospitals adopt proactive strategies that integrate training into clinical workflows, secure leadership support and foster collaborative engagement between IT staff and clinicians. By embedding sociotechnical considerations, the model enables hospitals to align technical controls with clinical needs and regulatory requirements.
Must Read: Revolutionising Healthcare with Clinical Smartphones
Pilot Implementation and Hospital Insights
A pilot implementation was carried out in a public metropolitan hospital in Victoria, Australia. Ten participants, including IT managers and clinicians, completed a maturity assessment and later joined a co-design workshop. The assessment revealed an overall maturity score of 2.04, indicating that the hospital operated mainly at a foundational level. Technology domains scored slightly higher than policy, but all three dimensions showed significant room for improvement.
Workshop discussions prioritised six domains: identity and access management, clinical communication, BYOD strategy, governance, stakeholder involvement and security culture. Challenges included cumbersome authentication processes, the use of unsanctioned communication platforms, a lack of clear strategic direction and resistance from staff who viewed device management solutions as intrusive. Recommendations emphasised practical steps such as implementing single sign-on, formalising BYOD strategies, adopting secure communication tools, clarifying governance roles and engaging clinicians in security decision-making. By addressing both technical gaps and sociotechnical concerns, the hospital identified actionable improvements that balanced security with clinical productivity.
From Framework to Long-Term Adaptability
The model’s strength lies in its structured yet flexible design. Hospitals can assess their current practices, identify gaps and plan realistic steps for improvement, guided by detailed descriptions of maturity levels within each domain. For example, a hospital at level two in identity management can review higher-level indicators to understand how to progress towards more advanced solutions, such as role-based access control or federated single sign-on.
The model also emphasises adaptability, allowing updates to reflect emerging threats, new technologies and evolving regulations. Its modular nature ensures alignment with internationally recognised standards, while providing the context-specific detail required for healthcare environments. By integrating technical, policy and human factors, it operationalises abstract concepts such as security culture into measurable, practical steps. This enables hospitals to not only strengthen data protection but also to build trust, enhance usability and maintain clinical efficiency.
The BYOD security maturity model demonstrates the value of a sociotechnical approach in healthcare cybersecurity. By uniting technical controls with policy frameworks and human-centred factors, it provides hospitals with a practical tool to identify vulnerabilities and design structured improvement pathways. The pilot implementation highlighted the importance of engaging both IT and clinical staff in shaping secure, usable solutions. Adopting a tailored maturity model offers a way forward, equipping organisations with the ability to adapt, progress and sustain strong security practices in clinical environments.
Source: JMIR Human Factors
Image Credit: iStock
